search

cyphunk / JTAGenum

Given an Arduino compatible microcontroller or Raspberry PI (experimental), JTAGenum scans pins[] for basic JTAG functionality and can be used to enumerate the Instruction Register for undocumented instructions. Props to JTAG scanner and Arduinull which came before JTAGenum and forwhich much of the code and logic is based on. Feel free to branch and modify religiously (readme, credits, whatever)
http://deadhacker.com/tools
713 stars 100 forks source link

Teensy 4.0 #12

Open brandonros opened 4 years ago

brandonros commented 4 years ago

Is Teensy 4.0 supported?

cyphunk commented 4 years ago

Yes, I think so. If Teensy 4.0 has support in Teensyduino then it will work without or with very little modification to JTAGenum. I see on the Teensy 4 release page that they say Teensyduino can be used to program Teensy 4.0 ("Teensy 4.0 can be programmed using the Arduino IDE with Teensyduino add-on."). I have not had a chance to test it yet.

brandonros commented 4 years ago

image

Can you recommend what pins I would need to connect? I have a 2x5 (10-pin) JTAG header I am trying to reverse engineer with a Teensy 4 and could use a bit of direction if you don't mind.

image

cyphunk commented 4 years ago

This board looks very welcoming to RE. Have you checked if you can find a footprint for the MCU. Because there are so many traces you may be able to map the JTAG pins, or at least map one to confirm it is connected. (which is likely). Next we would want to check if the MCU has any security features to disable JTAG through fuses, which we may or may not find in the general datasheet.

brandonros commented 4 years ago

https://www.continental.com/en/press/press-releases/2017-03-28-control-unit-e-class-64576

Next we would want to check if the MCU has any security features to disable JTAG through fuses, which we may or may not find in the general datasheet.

I believe JTAG is disabled since this is a "production" device but I thought at least IDCODE would work.

I'm not sure if I need some kind of fuse/resistor to enable it. Any thoughts/ideas?

https://www.infineon.com/dgdl/Infineon-TC27xDC-DS-v01_00-EN.pdf?fileId=5546d462694c98b4016953972c57046a

I am under the impression that I can't trace because a) the board is multiple layers and b) the chip is in a special FBGA packaging that hides the pins?

I'd love to pair with you on this. Any advice? I think one mistake I am making is I am putting GND in the pin array, but taking it out yields no difference.

brandonros commented 4 years ago

image

brandonros commented 4 years ago

image

brandonros commented 4 years ago

I am told there is no external MCU. All of the other chips on the board are auxilliary chips for converting voltage levels from TTL to CAN-H/L etc.

ikarus23 commented 4 years ago

First time JTAGenum user here: I'm using a Teensy 4.0 at a know JTAG port (dev board). The method IDCODE scan works, but not very reliable. I've noticed that I get better results when downclocking the Teensy to 150MHz instead of 600MHz. Is this normal? Is it more reliable on an Arduino?

OT: The output is very verbose for cases where it needn't to be. With IDCODE scan TDI can not be identified. Why printing different pin layouts where only TDI changes?